Abstract

This essay will examine PBX bugging. It begins by defining
this attack strategy and discussing basic telephony. Next, it examines
different types of bugging devices that can be used to conduct such an
operation. The essay then explores several examples of PBX bugging and
possible countermeasures. It concludes with a brief examination of future
trends based on the changing world of telecommunications.

Introduction

Is someone listening? Many employees of private companies
and government organizations ponder that question every time they pick up
the telephone. The answer is maybe, and if not there are several methods
they could use to start. The US Department of State, in its annual Country
Reports on Human Rights Practices for 1994, reported widespread, illegal or
uncontrolled phone tapping by both government and private groups in over 70
countries. [3] Due to the sharp rise in corporate and economic espionage,
businesses and government agencies are most vulnerable to a form of
wiretapping known as PBX bugging.

Defintions

A PBX or Private Branch Exchange is a private telephone
network used within an organization. [8] The PBX connects directly to the
Central Office (CO) of the local telecommunication company in most cases
using trunks. Internal users of the PBX system can then share lines for
internal and external calls, use features like voicemail, and even
communicate with each other via extensions. [8] Therefore, PBX Wiretapping
(Bugging) is an attack whose focus is to exploit weaknesses, allowing
connected telephone instruments to be tapped. [2]

Types of Wiretaps and Bugs

Wiretapping is the basic premise of PBX bugging. The goal
of wiretapping is to secure quality information and/or ensure successful
exploitation of features. [1] Wiretaps can be broken down into four
categories. A hardwire tap is when physical access is gained to a section of
wire that the signal travels on. [1] In the case of a telephone line, a
second set of wires is attached and data is transmitted to the listener. It
is difficult to detect but easy to trace to the source. Next, is the soft
wiretap. This involves the software used to run the PBX or phone system. [1]
This method can give an individual unfettered access to all the internal
properties of the PBX. Both methods are popular with law enforcement and
intelligence gathering agencies. [1] Hackers can access the PBX via a modem,
which is generally reserved for maintenance, and they prefer the soft
wiretap. There is also the Record wiretap, which is simply used to record
conversations using a recorder and hardwire tap. [1] Finally, there is a
transmit wiretap which uses a transmitter connected to a hardwire to radio
information back to a listener. [1] This type of tap can be especially
difficult to identify.

A bug is a device, which is placed in an area which then
intercepts communications and transmits information to the listener(s).
There are five primary categories of bugs. An acoustic bug is the placing of
a water glass, stethoscope, or rubber hose into the target area. [1] This
type of eavesdropping requires no electronics. The ultrasonic bug is a
technique used to convert sound into an audio signal above the range of
human sound. [1] Next, is the RF bug. This is the most commonly used bug; it
involves placing a listening device at the target site and transmitting
information directly to the perpetrator. [1] Finally, there is the optical
bug, which converts sound or data to a beam of light. This method is the
least used due to cost and complexity. [1] Information on bugs is included
to illustrate that these methods can be used in conjunction with or in
support of PBX bugging.

Examples of PBX bugging

PBX bugging can occur in several forms including the
on-hook bugging of hand-held instruments, open microphone listening, and
exploitation of silent conference calling features. [2] On hook bugging uses
the phone as an active bug; the hook switch is shorted in some way. [5] A
listen-down the line amplifier is then connected to the line. This allows
the listener to monitor audio in the room through the phone. [5]
Additionally, cordless phones and private phone systems may have the
functionality to monitor a room by pressing the correct sequence of keys.
[5] Conference calling has eliminated the need for many face-to-face
meetings. At the same time, it has required additional functionality in
handsets as well as the software of the PBX. Using this feature can allow a
listener to use the conference function to secretly listen in on conference
calls as a member of the call. This occurs while the participants are
unaware. It appears that many of the advancements in telecommunications
meant to enhance productivity also enhance the threat of bugging and
eavesdropping. In order to better understand this process, I have provided
two distinct examples.

From 1989 to 1991, Kevin Poulsen monitored his girlfriend,
associates, and federal wiretaps using Pacific Bell's COSMOS system. He was
able to take control of the system remotely. Consequently, he was able to
determine which lines serviced by Pacific Bell the Federal Government
tapped. [7] Another example of such activity occurred while President
Clinton was in the White House. It is believed that Israeli intelligence
sources placed agents at a local telecommunications company. The FBI asserts
that they used sophisticated means to listen to conversations from remote
telephone sites, and may have had the capability of providing real-time
audio feeds directly to Tel Aviv. [6] The nature of this type of activity
should illustrate its serious implications to national security.

Countermeasures

Speech scrambling is a tactic that can be used to counter
bugging. Speech inversion is a variation of this and works by taking a
signal and turning it inside out. [5] Encryption is the ideal method and is
much more robust than any other form of protection. [5] Voice encryption
occurs by digitizing the conversation at the handset. [5] Using this method
requires the listener to have the ability to not only wiretap but also
decrypt the intercepted information. Removing multi-line analog sets from
the PBX is prudent; these phones should be placed on individual POTS (Plain
Old Telephone Switching) lines that are unassociated with the PBX. To
protect against unauthorized recordings of conversations, experts suggest a
technique called "band masking" where noise is played into the line to
prevent recording. [5] Finally, telephone cables should be shielded to
prevent RF bugging. [5] While not 100 percent secure, these techniques
coupled with proper training for network and telecommunications
administrators should help reduce the risk of PBX bugging.

The Future

New technologies, such as computerized voice recognition,
are being used by U.S. intelligence agencies. Voice Recognition is primarily
used with cellular phones, however as organizations employ more wireless
voice and data infrastructures, such technology will become more germane to
this topic.

Wiretapping capability is already built into many central
office telephone switches, and the government can require carriers to
intercept or report on communications by request [4]. However, these
requirements do not apply to corporations that use PBX systems. [4]
Interestingly, as voice, data, and video converge, they will use the
Internet as the medium to communicate; the question of wiretapping may
become less pressing. However, there will still be opportunities to exploit
legacy TDM (Time Division Multiplexing) based PBX systems via the methods
mentioned earlier, as well as new methodologies for breaking down the
encryption used to transfer data over the Internet.

Conclusions

Finally, we must acknowledge the ongoing debate regarding
the constitution and right to privacy. Today, it is illegal to eavesdrop on
conversations without consent of the party or a warrant. It is also unlawful
to manufacture or sell such equipment in the United States. Nonetheless, it
takes little effort to acquire such equipment via the Internet. This issue
will continue to be fueled by the war on terror and legislation like the
Patriot Act. Needless to say, the government will continue to seek ways to
gather information, as they deem appropriate. PBX bugging is not a new
phenomenon. Consequently, it safe to assume thieves, spies, and the
government will continue to develop the capabilities and means to accomplish
the goals accomplished today via traditional PBX bugging.